Meecrowave OAuth2: a built-in ready to use OAuth2 server
In last post I spoke of Apache Meecrowave server. It actually brings a set of extensions and one particular provides an OAuth2 server.
Side note: this is a 0.3.0 feature.
You maybe don't know but CXF provides all you need to create an OAuth2 server but you have the responsability to wire it properly to create a functional server.
Apache Meecrowave OAuth2 module is just about grabbing the good code from Apache CXF and wire it in a ready to run server.
Concretely it has two flavors (exactly like Meecrowave core):
- a dependency: useful to customize even more the server and embed it in your own application
- a fatjar ready to run
Of course it fully integrates with Meecrowave configuration and wires most of CXF OAuth2 options to the Meecrowave CLI.
I'll not duplicate the documentation page but running the server is as easy as:
java -jar meecrowave-oauth2-0.3.0-bundle.jar
If you run it this way you will never get any token cause you didn't wire the user datastore.
The easiest way - and one of the killing feature of this module for tests - is to use Meecrowave in memory storage:
java -jar meecrowave-oauth2-0.3.0-bundle.jar \
--users test=test --roles test=test
Then you can get a token:
curl -XPOST http://localhost:8080/oauth2/token \
-d username=test \
-d password=test \
-d grant_type=password
Of course client_id and client_secret are supported but need to setup clients.
In current version meecrowave-oauth2 supports three storages for clients and tokens:
- JCache
- JPA
- JWT
By default it uses JCache in local mode. It sounds like not the best approach but if you think about it and what is implied if you loose the cache...then it is actually one of the best solution for 65% of the cases. Side note appart, JWT is also an insanely good solution if you ensure you sign tokens strong enough. JPA keeps valid for simple tokens and not overloaded servers.
Concretely you will be able to configure the server through the command line. Here is a sample (but it has really a lot of available options:
java -Djava.security.auth.login.config=oauth2.conf \
-jar meecrowave-oauth2-0.3.0-bundle.jar \
--oauth2-client-force=true \
--oauth2-refresh-token=true \
--oauth2-refresh-token-lifetime= 18000 \
--oauth2-refresh-token-recycling=true \
--oauth2-access-token-lifetime=1800 \
--oauth2-use-jaas=true \
--oauth2-provider=jpa \
--oauth2-jpa-database-url=jdbc:mysql://oauth2.company.com:3606/oauth2 \
--oauth2-jpa-database-username=oauth2 \
--oauth2-jpa-database-password=oauth2 \
--oauth2-jpa-database-driver=com.mysql.jdbc.Driver \
--oauth2-jpa-max-active=256 \
--oauth2-jpa-max-idle=5 \
--oauth2-jpa-validation-interval=60000 \
"--oauth2-jpa-validation-query=select 1"
This snippet will configure OAuth2 with JPA provider and with a custom refresh token support.
Being able to rely on a ready to use OAuth2 server is important because it will allow to move very fast in the development and not reimplement another token based solution with a mandatory custom client implementation. Going with a home made solution works but implies a lot of work, in particular on the browser side if you build a webapp. All this work can be skipped if you use a standard and widely used solutions like OAuth2. OAuth2 is also very good for microservices or machine to machine case thanks to its client (client_id) support.
If you need an OAuth2 server give a look to Meecrowave OAuth2, it can make your life easier and don't forget it is backed by CXF community which is actually a very solid community in term of security!
Last thing: today main flows are supported:
- password
- client_credentials
- authorization_code
- jwt bearer grant (urn:ietf:params:oauth:grant-type:jwt-bearer)
From the same author:
In the same category: